VobfusLNK.A

Its main objective is to spread and affect as many computers as possible. The means it uses to spread are the removable devices, like USB keys, and the mapped drives. Unlike other variants of this family, it exploits the Windows vulnerability MS10-046 (CVE-2010-2568), which allows remote code execution.

Affected platforms:

Windows 2003/XP/2000/NT/ME/98/95

First detected on:

July 23, 2010

Detection updated on:

Aug. 19, 2010

Statistics

No

Brief Description

VobfusLNK.A is a worm whose main aim is to spread and affect as many computers as possible.

It uses several means to spread in order to ensure its distribution:

through removable devices, like USB keys, in which it creates several shortcuts to folders with names used by Windows, like Documents or Music, and an AUTORUN.INF file which points to the copy of the worm.

through mapped drives, creating an AUTORUN.INF file, which points to the copy of the worm.

These are the general characteristics of a worm belonging to the Vobfus family. However, this variant has a new feature, as it exploits the vulnerability MS10-046 (CVE-2010-2568). This Windows vulnerability, which affects shortcuts, allows remote code execution.

Note: Microsoft has already released the security patch that solves this vulnerability. If you have a Windows 2008/7/Vista/2003/XP computer, it is recommended to download and apply the security patch for this vulnerability. Access the web page for downloading the patch.

Visible Symptoms

VobfusLNK.A is difficult to recognize, as it does not display any messages or warnings that indicate it has reached the computer.

However, when VobfusLNK.A spreads through removable drives, like USB keys, it will create several shortcuts which actually point to a copy of the worm.

The names it uses for some shortcuts are similar to those of the usual Window folders, like Music, Pictures or Video, among others.

On the other hand, it creates several shortcuts using names like zFW, zkX or zLM which are specially designed to exploit the Windows vulnerability mentioned in the previous section.

The following image belongs to what the user will view when accessing the removable drives: